Necessity of GPG when using SSL

Henry Hertz Hobbit hhhobbit7 at netscape.net
Wed Feb 15 09:22:18 CET 2006



Jim Berland <berland at gmail.com> wrote:

>Hi everybody,
>
>I understand the use of GPG end-to-end-encryption and use it with a  
>few of my contacts. What I want to make sure is the following.
>
>I am going to move to China for some time. My email ISP is located  
>outside China and I connect to it via SSL. So if I am only concerned  
>about the Chinese (whatever the reason; maybe my doubts are  
>unreasonable?) and not about the complete end-to-end-encryption of  
>GPG, the SSL encryption alone will do the job. Is that correct?

In short, SSL is not a complete solution and there is a need for
GPG or some other OpenPGP solution.  Usually, if you are using a
web interface to access your email, only the initial authentication
is done via SSL.  After that if your URL address shifts to using an
"http://" rather than the "https://" you made your initial connection
with means that your communication just shifted from SSL (weak
encryption) to NO encryption.  That is the norm.

Actually, you should have done some initial research with Google.
You may have found that it is illegal for you to use GPG or
PGP (strong encryption) while in China.  I don't know if they
would have prevented you from taking it into China, but the less
said about it the better.  Too late for that now, isn't it?  It
is best to go under the radar screen.  Primarily, what you would
want encrypted is your financial information anyway, or at least
that is what I would want encrypted.  So, just take the CD with
GnuPG precompiled with you (you did do a "make install > INSTALL.LOG \
2>&1" didn't you?) AND your keyrings and trusted DB files.  I can't
assume that you will even have access to a compiler where you are
going.  On the other hand you didn't say whether or not you are using
MS Windows (makes the install even easier).  I do assume that you will
have access to tar and gzip where you are going.

So, I reiterate -  SSL is not enough.  Most POP / IMAP mailers
in the United States and Europe don't have you make the initial
connection encrypted.  By that I mean it isn't even possible to
protect your initial connection and your login password is sent
in clear text.  SSL is designed and used for only critical short
periods of time.

Ciao

HHH


__________________________________________________________________
Switch to Netscape Internet Service.
As low as $9.95 a month -- Sign up today at http://isp.netscape.com/register

Netscape. Just the Net You Need.

New! Netscape Toolbar for Internet Explorer
Search from anywhere on the Web and block those annoying pop-ups.
Download now at http://channels.netscape.com/ns/search/install.jsp



More information about the Gnupg-users mailing list